I am having metricbeat pushing data to Elasticsearch. A document of the index appeats like the following:
{
"_index" : "metricbeat-system-2019.07.16",
"_type" : "doc",
"_id" : "F1nl-WsB5ioPniMf8fmp",
"_score" : 1.0,
"_source" : {
"@timestamp" : "2019-07-16T08:28:44.731Z",
"event" : {
"dataset" : "system.process",
"duration" : 69828626
},
"system" : {
"process" : {
"cpu" : {
"total" : {
"value" : 0,
"pct" : 0,
"norm" : {
"pct" : 0
}
},
"start_time" : "2019-06-05T23:29:26.000Z"
},
"ppid" : 2,
"pgid" : 0,
"state" : "sleeping",
"memory" : {
"share" : 0,
"size" : 0,
"rss" : {
"bytes" : 0,
"pct" : 0
}
},
"pid" : 3527,
"name" : "scsi_tmf_29",
"username" : "root",
"fd" : {
"open" : 0,
"limit" : {
"soft" : 1024,
"hard" : 4096
}
}
}
},
"fields" : {
"module" : "system"
},
"beat" : {
"name" : "elklogstash01.mydc",
"hostname" : "elklogstash01.mydc",
"version" : "6.6.1"
},
"host" : {
"name" : "elklogstash01.mydc"
},
"metricset" : {
"name" : "process",
"module" : "system",
"rtt" : 69828
}
}
}
I want to search by hostname so I am using the following query. However, the results are not honoring the filter.
GET metricbeat-system-2019.07.16/_search
{
"aggs": {
"data": {
"filters": {
"filters": {
"hostname_filter": {
"match": {
"host.name":"elkkafka01.mydc"}
}
}
}
}
}
}
Any suggestions ?